Here's a true Halloween horror story: We blabbed your details

UK financial service regulators only learned of this year's Equifax mega-breach through media reports.

The admission comes in correspondence from the Financial Conduct Authority (FCA) released by Treasury Committee on Tuesday. A letter from the FCA to Nicky Morgan MP, chair of the Treasury Committee, confirms that the regulator is looking into the credit reference agency's much-criticised handling of the breach.

Equifax initially said a breach that affected 145 million US consumers also hit 400,000 Brits. That admission came on September 15 but a month later the firm admitted that it had underestimated the impact of the breach on UK customers.

Equifax admitted that a file containing 15.2 million UK records dated between 2011 and 2016 had been exposed as a result of the snafu. Most of these were duplicates or test data, meaning the private details of almost 700,000 had actually been exposed. Equifax said it would be contacting affected UK consumers by post.

Regulatory response

The FCA letter clarifies that these 693,665 customer had their driving licence number and email addresses associated with an Equifax.co.uk account exposed in 2014. The FCA is content to accept Equifax's figures for the number and details of records exposed but still has questions about how long it took Equifax to come up with these figures.

Regulators back Equifax's plan to notify affected parties by letter rather than email because of the risk of copycat phishing campaigns.

The breach, which stemmed from an missed Apache Struts patch, was open from May 2017 until it was discovered in July. Equifax had weeks before going public in September but mishandled the breach notification process at almost every turn, as extensively covered in previous Register stories. Issues have included a bespoke breach notification site so shaky that security scanners thought it was a phishing site, attempts by senior management to blame the whole sorry mess on a single unnamed techie and more.

Equifax has come under fierce criticism from both consumer rights advocates and infosec experts, not least because it sells identity protection services. Consumers are stuck with Equifax whether they like it or not because its services are used by businesses to check individuals' creditworthiness.

In its letter to Morgan, the FCA touches on this point without giving away any details of its ongoing investigation.

Credit reference agency firms are subject to the high level principles of the FCA regulatory regime, which include requirements on treating customers fairly and on ensuring adequate risk management, systems and controls. They are also subject to relevant data protection legislation which is enforced by the Information Commissioner's Office (ICO).

While our investigation is under way, it would be inappropriate at this stage for us to comment publicly on what rules might potentially have been engaged.

The FCA adds that it is working in lockstep with the Information Commissioner's Office, which is also running a related but separate investigation into Equifax.

Equifax is really, really sorry

The Treasury Committee also released an 11-page letter (PDF) put together by Equifax's European president, Patricio Remon, in response to questions put to it by Morgan. The chair of the Treasury Committee asked Equifax about the scale of the breach, and what compensation it intended to provide at the same time she wrote to the FCA. Equifax's UK business is authorised by the FCA, which has the power to either fine Equifax, order it to take remedial action or (in extremis) revoke its right to operate in the UK.

Equifax said it began notifying the customers most exposed by letters posted on October 13. "Consumers who have potentially had their driving licence numbers or Equifax.co.uk membership information impacted have been offered a free comprehensive ID protection service, that will enable them to monitor their personal data," the company told Morgan.

It went on to officially confirm that it had hired cybersecurity firm Mandiant to handle computer forensics and incident response. Based on this work, Equifax has "established that the UK core consumer credit data (such as balances and debts owed) or credit referencing systems were not impacted" by the breach. The data of UK customers exposed "related to an historic system that was used by some UK business customers to validate consumers' identities".

One of the exposed files contained 96,275 records, relating to around 27,000 UK subscribers to Equifax.co.uk services.

Equifax apologised for the breach in the response, which provides a detailed timeline of events from its perspective. Investigators will doubtless be looking closely at this timeline in assessing the credit reference agency's breach response and considering whether the notification process was delayed without sufficient reason.

Reg reader David kindly forwarded a copy of one such letter, which he received on Tuesday (October 31), Halloween. An excerpt from this four-page letter is published below.

Equifax breach letter to UK customers

In its letter to Morgan, Equifax said it had trouble verifying the addresses of consumers. Even given that Equifax is dealing with a leak of historic data that’s some years old this is still quite an admission from a credit reference agency. The phrase "you had one job" comes to mind...

Equifax address verification uncertainity

Cold comfort

Equifax is keen to portray the mess as increasing the risk from cold-calling scammers and perhaps other types of phishing. "For the majority of impacted UK consumers we have notified, the main risk is unwanted cold calling," it said.

The UK data leak did not include the information crooks are likely to need in order to pull off successful frauds, the company reasons.

In the US at least, fraud has already been recorded in relation to the breach. One woman from Seattle told local media that her identity has been stolen 15 times. ®